Remove dependency on the runner's volume (#244)

* bump actions

* experiment using init container to prepare working environment

* rm script before continuing

* fix

* Update packages/k8s/src/hooks/run-script-step.ts

Co-authored-by: Copilot <[email protected]>

* leverage exec stat instead of printf

* npm update

* document the new constraint

---------

Co-authored-by: DenisPalnitsky <[email protected]>

Author: nikola-jokic

examples/extension.yaml

@@ -4,9 +4,6 @@ metadata:
   labels:
     labeled-by: "extension"
 spec:
-  securityContext:
-    runAsUser: 1000
-    runAsGroup: 3000
   restartPolicy: Never
   containers:
   - name: $job # overwrites job container

package-lock.json

@@ -22,9 +22,6 @@ rules:
 - apiGroups: [""]
   resources: ["pods/log"]
   verbs: ["get", "list", "watch",]
-- apiGroups: ["batch"]
-  resources: ["jobs"]
-  verbs: ["get", "list", "create", "delete"]
 - apiGroups: [""]
   resources: ["secrets"]
   verbs: ["get", "list", "create", "delete"]
@@ -43,3 +40,4 @@ rules:
 - Building container actions from a dockerfile is not supported at this time
 - Container actions will not have access to the services network or job container network
 - Docker [create options](https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idcontaineroptions) are not supported
+- Container actions will have to specify the entrypoint, since the default entrypoint will be overridden to run the commands from the workflow.

packages/k8s/README.md

@@ -20,17 +20,18 @@
     "hooklib": "file:../hooklib",
     "js-yaml": "^4.1.0",
     "shlex": "^3.0.0",
+    "tar-fs": "^3.1.0",
     "uuid": "^11.1.0"
   },
   "devDependencies": {
-    "@babel/core": "^7.25.2",
-    "@babel/preset-env": "^7.25.4",
+    "@babel/core": "^7.28.3",
+    "@babel/preset-env": "^7.28.3",
     "@types/jest": "^30.0.0",
-    "@types/node": "^24.0.14",
+    "@types/node": "^24.3.0",
     "@vercel/ncc": "^0.38.3",
-    "babel-jest": "^30.0.4",
-    "jest": "^30.0.4",
-    "ts-jest": "^29.4.0",
-    "typescript": "^5.8.3"
+    "babel-jest": "^30.1.1",
+    "jest": "^30.1.1",
+    "ts-jest": "^29.4.1",
+    "typescript": "^5.9.2"
   }
 }

packages/k8s/package-lock.json

@@ -1,5 +1,4 @@
 import * as core from '@actions/core'
-import * as io from '@actions/io'
 import * as k8s from '@kubernetes/client-node'
 import {
   JobContainerInfo,
@@ -8,26 +7,33 @@ import {
   writeToResponseFile,
   ServiceContainerInfo
 } from 'hooklib'
-import path from 'path'
 import {
   containerPorts,
-  createPod,
+  createJobPod,
   isPodContainerAlpine,
   prunePods,
   waitForPodPhases,
-  getPrepareJobTimeoutSeconds
+  getPrepareJobTimeoutSeconds,
+  execCpToPod,
+  execPodStep
 } from '../k8s'
 import {
-  containerVolumes,
+  CONTAINER_VOLUMES,
   DEFAULT_CONTAINER_ENTRY_POINT,
   DEFAULT_CONTAINER_ENTRY_POINT_ARGS,
   generateContainerName,
   mergeContainerWithOptions,
   readExtensionFromFile,
   PodPhase,
-  fixArgs
+  fixArgs,
+  prepareJobScript
 } from '../k8s/utils'
-import { CONTAINER_EXTENSION_PREFIX, JOB_CONTAINER_NAME } from './constants'
+import {
+  CONTAINER_EXTENSION_PREFIX,
+  getJobPodName,
+  JOB_CONTAINER_NAME
+} from './constants'
+import { dirname } from 'path'
 
 export async function prepareJob(
   args: PrepareJobArgs,
@@ -40,11 +46,9 @@ export async function prepareJob(
   await prunePods()
 
   const extension = readExtensionFromFile()
-  await copyExternalsToRoot()
 
   let container: k8s.V1Container | undefined = undefined
   if (args.container?.image) {
-    core.debug(`Using image '${args.container.image}' for job image`)
     container = createContainerSpec(
       args.container,
       JOB_CONTAINER_NAME,
@@ -56,7 +60,6 @@ export async function prepareJob(
   let services: k8s.V1Container[] = []
   if (args.services?.length) {
     services = args.services.map(service => {
-      core.debug(`Adding service '${service.image}' to pod definition`)
       return createContainerSpec(
         service,
         generateContainerName(service.image),
@@ -72,7 +75,8 @@ export async function prepareJob(
 
   let createdPod: k8s.V1Pod | undefined = undefined
   try {
-    createdPod = await createPod(
+    createdPod = await createJobPod(
+      getJobPodName(),
       container,
       services,
       args.container.registry,
@@ -92,6 +96,13 @@ export async function prepareJob(
     `Job pod created, waiting for it to come online ${createdPod?.metadata?.name}`
   )
 
+  const runnerWorkspace = dirname(process.env.RUNNER_WORKSPACE as string)
+
+  let prepareScript: { containerPath: string; runnerPath: string } | undefined
+  if (args.container?.userMountVolumes?.length) {
+    prepareScript = prepareJobScript(args.container.userMountVolumes || [])
+  }
+
   try {
     await waitForPodPhases(
       createdPod.metadata.name,
@@ -104,6 +115,28 @@ export async function prepareJob(
     throw new Error(`pod failed to come online with error: ${err}`)
   }
 
+  await execCpToPod(createdPod.metadata.name, runnerWorkspace, '/__w')
+
+  if (prepareScript) {
+    await execPodStep(
+      ['sh', '-e', prepareScript.containerPath],
+      createdPod.metadata.name,
+      JOB_CONTAINER_NAME
+    )
+
+    const promises: Promise<void>[] = []
+    for (const vol of args?.container?.userMountVolumes || []) {
+      promises.push(
+        execCpToPod(
+          createdPod.metadata.name,
+          vol.sourceVolumePath,
+          vol.targetVolumePath
+        )
+      )
+    }
+    await Promise.all(promises)
+  }
+
   core.debug('Job pod is ready for traffic')
 
   let isAlpine = false
@@ -127,7 +160,7 @@ function generateResponseFile(
   responseFile: string,
   args: PrepareJobArgs,
   appPod: k8s.V1Pod,
-  isAlpine
+  isAlpine: boolean
 ): void {
   if (!appPod.metadata?.name) {
     throw new Error('app pod must have metadata.name specified')
@@ -184,17 +217,6 @@ function generateResponseFile(
   writeToResponseFile(responseFile, JSON.stringify(response))
 }
 
-async function copyExternalsToRoot(): Promise<void> {
-  const workspace = process.env['RUNNER_WORKSPACE']
-  if (workspace) {
-    await io.cp(
-      path.join(workspace, '../../externals'),
-      path.join(workspace, '../externals'),
-      { force: true, recursive: true, copySourceDirectory: false }
-    )
-  }
-}
-
 export function createContainerSpec(
   container: JobContainerInfo | ServiceContainerInfo,
   name: string,
@@ -244,10 +266,7 @@ export function createContainerSpec(
     })
   }
 
-  podContainer.volumeMounts = containerVolumes(
-    container.userMountVolumes,
-    jobContainer
-  )
+  podContainer.volumeMounts = CONTAINER_VOLUMES
 
   if (!extension) {
     return podContainer